UK small and medium-sized enterprises (SMEs) that are preparing to switch off for Christmas will leave themselves vulnerable to attack, according to new research commissioned by global cybersecurity company Kaspersky.

The survey of 500 SME owners across the UK reveals that Christmas shutdowns have become a major cybersecurity blind spot. Nearly a third will close for three to five days, while others extend their break to a week or longer. More than four in five SMEs plan to close their business for at least a day over Christmas, while just 19% will remain fully operational throughout the festive period.

Worryingly, IT oversight during holiday season downtime is inconsistent at best. While half of SMEs rely on in-house IT teams or external providers, a quarter will leave cybersecurity in the hands of non-specialist staff, and one in four admits that no one monitors their systems at all while the business is closed.

This risk is sharpened by PwC’s Minimum Viable Company (MVC) concept, which highlights the essential services and systems that must remain protected to keep an organisation operational during disruption. For SMEs — whose critical functions are often concentrated in just a few technologies, processes and suppliers — even a short lapse in monitoring over Christmas can expose precisely the assets needed to stay viable.

Despite this lack of specialist coverage, 82% of SMEs describe themselves as confident in their cybersecurity during the Christmas period. This over-confidence, combined with a lack of vigilance, is especially concerning, given that 35% of SMEs have experienced a confirmed or suspected cyber incident during a previous holiday season.

The research shines further light on the potential for complacency, with almost a quarter (22%) of SME owners saying they are not worried about any particular cyber threat over Christmas, though phishing and ransomware remain among the most feared risks for those who are concerned. When asked what preparations they make before closing for the holidays, SMEs most commonly cited backing up data or installing routine updates, but roughly one in eight take no cybersecurity precautions at all, and only a minority test their incident response plans or warn staff about seasonal phishing scams.

Looking to 2026, many SMEs acknowledge the need to strengthen their defences, but plans remain vague. While businesses express interest in improving backups, threat detection and staff training, only 19% say they will definitely invest in cybersecurity in the year ahead, and almost as many say they are unlikely to invest at all.

“A toxic selection box of holiday pressures, year-end work deadlines, financial demands, and social obligations means December can be one of the most stressful times of the year. This is especially true for small business owners, who often take on more than their fair share of the workload over the festive period. IT security can slip off the ‘to do’ list for some,” warns Anna Papla, UK territory channel manager at Kaspersky.